Clinic Security and Policy Enforcement in Windows Server 2008

advertisement
Clinic
Security and Policy
Enforcement in Windows
Server 2008
Introduction
Name
Company affiliation
Title/function
Job responsibility
Windows Server 2003, XP and Vista experience
Security Experience
Expectations
Facilities
Class hours
Building hours
Parking
Restrooms
Meals
Phones
Messages
Smoking
Recycling
About This Clinic
Description
Clinic Objectives
Audience
Prerequisites
Clinic Outline
Security Enhancements in Windows Server 2008
Network Access Protection
Infrastructure Optimization
Technology
framework to help
maximize the value
of your IT
investments
Structured way to
drive cost
reduction, security
& efficiency gains
and boost agility
Based on industry
analyst and
academic work
Provides guidance
and best practices
for step-by-step
implementation
Security Enhancements in
Windows Server 2008
Overview
Methods of Security and Policy Enforcement
Network Location Awareness
Network Access Protection
Windows Firewall with Advanced Security (WFAS)
Internet Protocol Security (IPSec)
Windows Server Hardening
Server and Domain Isolation
Active Directory Domain Services Auditing
Read-Only Domain Controller (RODC)
BitLocker Drive Encryption
Removable Device Installation Control
Enterprise PKI
Technical Background
Windows Firewall with
Advanced Security
Internet Security Protocol
(IPSec)
Active Directory Domain
Services Auditing
Read-Only Domain
Controller (RODC)
BitLocker Drive
Encryption
Enterprise PKI
Windows Firewall with Advanced Security
Demonstration: Windows Firewall with Advanced Security
•
Creating Inbound and Outbound Rules
•
Creating a Firewall Rule Limiting a Service
IPSec
Integrated with WFAS
IPSec Improvements
Simplified IPSec Policy Configuration
Client-to-DC IPSec Protection
Improved Load Balancing and Clustering Server Support
Improved IPSec Authentication
Integration with NAP
Multiple Authentication Methods
New Cryptographic Support
Integrated IPv4 and IPv6 Support
Extended Events and Performance Monitor Counters
Network Diagnostics Framework Support
Demonstration: Creating IPSec Policies
•
Creating an IPSec Rule
•
Specifying different Authentication
Methods
•
Activate and Deactivate Rules
AD Domain Services Auditing
What
changes have
been made to
AD DS
auditing?
Read-Only Domain Controller (RODC)
New Functionality
AD Database
Unidirectional Replication
Credential Caching
Password Replication Policy
Administrator Role Separation
Read-Only DNS
Requirements/Special Considerations
RODC
BitLocker Drive Encryption (BDE)
Data Protection
Drive Encryption
Integrity Checking
BDE Hardware and Software Requirements
Enterprise PKI
Easier management through PKIView
Certificate Web Enrollment
Network Device Enrollment Service
Managing Certificate with Group Policy
Certificate Deployment Changes
Online Certificate Status Protocol (OCSP)
Support
Cryptographic Next Generation
Implementation/Usage Scenarios
Enforce Security Policy
Improve Domain Security
Improve System Security
Improve Network Communications Security
Recommendations
Carefully test and plan all security policies
Implement Network Access Protection
Use Windows Firewall and Advanced Security to
implement IPSec
Deploy Read-Only Domain Controllers, where
appropriate
Implement BitLocker Drive Encryption
Take advantage of PKI improvements
Summary
Windows Server 2008 includes a variety of new security
initiatives and features:
• Network Access Protection
• Windows Firewall and Advanced Security (WFAS)
enhancements
• IPSec improvements
• Windows Server Hardening
• Server and Domain Isolation
• Active Directory Domain Services Auditing
• Read-Only Domain Controllers (RODCs)
• BitLocker Drive Encryption
• Removeable Device Installation Control
• Improvements to Enterprise PKI capabilities
Questions and Answers
Network Access Protection
in Windows Server 2008
Overview
Network Access Protection
Net work Access Protection
Network Access Quarantine
Control
Internal, VPN and Remote Access
Client
Only VPN and Remote Access
Clients
IPSec, 802.1X, DHCP and VPN
DHCP and VPN
NAP NPS and Client included in
Windows Server 2008 ; NAP client
included in Vista
Installed from Windows Server 2003
Resource Kit
Technical Background
NAP Infrastructure
NAP Platform Architecture
NAP Enforcement Methods
NAP Client Architecture
NAP Server Architecture
Component Communication
NAP Infrastructure
Automatic Remediation
Health Policy Validation
Health Policy Compliance
Limited Access
NAP Platform Architecture
NAP Enforcement Client
IPSec
802.1X
VPN
DHCP
NPS
RADIUS
Demonstration: Network Access Protection
•
Create a NAP Policy
•
Using the MMC to Create NAP
Configuration settings
•
Create a new RADIUS Client
•
Create a new System Health Validator for
Windows Vista and Windows XP SP2
How NAP Works
Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP
IPSec Enforcement in Logical Networks
Communication Initiation Process with IPSec Enforcement
NAP Client Health Certificate Process
IPSec Enforcement in NAP
802.1x Authenticated Connections
NAP Authentication Process Background
Authentication Process
Network Access Protection Settings
Authorization Policies
Implementation/Usage Scenarios
Checking the Health and Status of Roaming
Laptops
Ensuring the Health of Corporate Desktops
Determining the Health of Visiting Laptops
Verify the Compliance of Home Computers
Recommendations
When using IPSec – employ ESP with encryption
Carefully test and verify all IPSec Policies
Consider Using Domain Isolation
Use Quality of Service to improve bandwidth
Plan to Prioritize traffic on the network
Apply Network Access Protection to secure client computers
Summary
Network Access Protection:
Secures Remote Computers before accessing the
Network
Has Client and Server Components
Can Use One or More of Several methods for
Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Questions and Answers
Lab: Network Access Protection
In this lab, you will:
Network Communications using WFAS
Enforcing network communication policy
using Policy-based QoS
Network Access Protection with Windows
Server 2008
What Next?
Windows Server 2008
Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection
•Home
Page: http://www.microsoft.com/nap
•Introduction to Network Access Protection:
http://go.microsoft.com/fwlink/?LinkId=49884
•Network
Access Protection Platform Architecture:
http://go.microsoft.com/fwlink/?LinkId=49885
•Network
Access Protection Frequently Asked Questions:
http://go.microsoft.com/fwlink/?LinkId=49886
•IPSec:
http://www.microsoft.com/ipsec
•Server
and Domain Isolation:
http://www.microsoft.com/technet/network/sdiso/default.mspx
Download